If you transfer personal data outside of the UK, and particularly if you transfer it to the US, you may be aware that over the past few years there have been some significant changes. And it looks like there could be more on the horizon….

* It is important to note that “transferring” means anything from sending an email containing personal data to someone outside of the UK to using a cloud service provider based in the US.


Legal background…

The starting point is that under data protection law, transferring personal data outside of the UK is not permitted unless:

  • the other country has been granted an adequacy decision;
  • in the case of the US, the US recipient company was signed up to the Privacy Shield;
  • there are Binding Corporate Rules (“BCRs”) in place;
  • the contract between the sender and recipient contains the Standard Contractual Clauses (“SCCs”); or
  • certain conditions are met, such as having the consent of the individual who’s personal data is being transferred,

(“appropriate safeguards”).


Schrems I

Pre-2016 there was an agreement in place between the EU and the US allowing transfers of personal data to the US based on a mechanism called Safe Harbour. Following a compliant made by an individual called Maximilian Schrems, this was overruled and subsequently replaced with a new mechanism called EU-US Privacy Shield. See “Sitting on the dock of the bay” for more information.


Schrems II

Schrems then made a further complaint over the transfer of his personal data by Facebook Ireland to Facebook Inc. in the US. Schrems argued that the Privacy Shield was, as with its predecessor,  inadequate in protecting his data – particularly from US intelligence agencies who still may access it.

And the court agreed – meaning that the Privacy Shield is no longer an appropriate safeguard! In addition, the court found that the SCCs may also not go far enough in protecting data as it simply requires sticking these in the contract without any further due diligence.

As this was before the end of Brexit transition period, this decision therefore applied to the UK.


What do you need to do?

You should:

  • Identify if you transfer personal data outside of the UK
  • If yes, identify which appropriate safeguard you rely on
    • If you were relying on the Privacy Shield (which only relates to transfers to the US), you must immediately stop and identify a different appropriate safeguard!
    • If you are relying on the SCCs or BCRs – you now need to carry out a risk assessment as to whether SCCs/BCRs provide enough protection within the laws of the country where the data is being transferred.
    • If you are relying on the other exemptions, such as consent, then there is nothing more you need to do at this stage.


Further changes?

The Government has recently released its proposals for changes to data protection moving forward now that the UK is no longer bound by the EU’s version of the GDPR.

In it they state that the Schrems II decision was “particularly disruptive” and that they will be “working to reduce unnecessary barriers to cross-border data flows”. This seems to suggest that the Privacy Shield (or something similar) may be reintroduced in the future. However this is just a proposal at the moment so unless and until the rules change its important to follow the above requirements.

We have strategic and operational DPO experience of delivering programmes so get in touch if you need help creating and/or implementing a data protection programme within your business. Contact Alison on alison@law-point.co.uk or call 01202 729444.